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Abstract 

Qualitative formal verification, that seeks boolean answers about the 
behavior of a system, is often insufficient for practical purposes. Observing 
quantitative information is of interest, e.g. for the proper calibration of 
a battery or a real-time scheduler. Historically, the focus has been on 
quantities in a continuous domain, but recent years showed a renewed 
interest for discrete quantitative domains. 

Cost Linear Temporal Logic (CLTL) is a quantitative extension of clas¬ 
sical LTL. It integrates into a nice theory developed in the past few years 
that extends the qualitative setting, with counterparts in terms of logics, 
automata and algebraic structure. We propose a practical usage of this 
logics for model-checking purposes. A CLTL formula defines a function 
from infinite words to integers. Finding the bounds of such a function 
over a given set of words can be seen as an extension of LTL universal 
and existential model-checking. We propose a CEGAR-like algorithm to 
find these bounds by relying on classical LTL model-checking, and use 
Biichi automata with counters to implement it. This method constitutes 
a first step towards the practical use of such a discrete quantitative logic. 


1 Introduction 

Qualitative verification, asking questions with boolean answers about a system 
may be too strict for various applications. Calibrating a battery, timing a sched¬ 
uler, measuring quality of service are practical problems of systems designers 
for which formal verification can offer a guarantee. Many works focus on the 
case of continuous quantitative domains (stochastic systems, real-time systems 
...), and the case of discrete domains have long been overlooked. 

The ability to count events is an important feature, e.g. to evaluate logical 
time (number of actions done by a robot, number of context switches done by 
a scheduler ...). Such measurements are of primary interest to evaluate the 
behavior of a system at early stages of development. Logical time can also 
serve as a first approximation of real-time, when events have a known bounded 
duration. We seek in this paper to use a logic able to count events in a system 
with infinite behaviors, with a focus on applicability. Following the automata- 
approach largely adopted for Linear Temporal Logic (LTL) verification, we study 
a quantitative extension of automata able to count events. 

Among numerous quantitative extensions to finite automata, we focus on the 
one defined by Colcombet and Bojanczyk [3] . Finite automata are extended with 
a finite set of counters that can be incremented and reset. A special operation 
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observe allows to store the current value of a counter to further determine 
the value of a run, as the infimum or the supremum of such stored values. 
They are part of a vast theory that nicely extends the finite automata theory, 
with their logical and algebraic counterparts, closure properties, over finite and 
infinite words and finite trees. Such automata define functions from words to 
integers, termed cost functions. Due to the undecidability of comparing two 
cost functions, many nice features of this theory rely on the consideration of 
cost functions up to an equivalence relation that erases the exact values and 
only retains their boundedness of functions. 

Regarding infinite words, on which we focus in this paper, the theory of cost 
functions has links with other extensions of automata or logics, by bounding 
a discrete quantity: bounding the maximal time between two returns to an 
accepting state in w-automata [2], or bounding the wait time for the finally 
operator in LTL HZI. Considering exact values to count events is nevertheless 
a great tool for verification. Think for example to the maximal number of 
energy units consumed by a robot between two returns to its charging base, 
to calibrate a battery. Or the maximal number of simultaneous threads in a 
parallel computation, to tune an appropriate scheduler. Or the number of false 
steps permitted to a human operator before a safeguard restriction occurs. For 
such properties, determining whether the bound is finite or not is of little help. 
We thus propose to use the tools and methods developed towards cost function 
theory (over infinite words) to practical model-checking. 

We use a counting extension of LTL, Cost LTL, introduced in m in the 
context of the theory of cost functions. Our contribution is threefold: 

• Cost LTL being an extension of LTL, we show how classical mo del-checking 
problems on LTL extend to the quantitative case. We thus address the 
problem of finding the bounds of the cost function defined by a formula, 
with a focus on the upper bound search. We propose an algorithm to 
compute such an upper bound using a CEGAR-like approach, where the 
bound is computed thanks to successive refinements. 

• We show how this algorithm is effective, implementing it by means of w- 
automata with counters. The computational bottleneck of the algorithm is 
reduced to Biichi automata emptiness check, to take advantage of existing 
research in the field. 

• We also present concrete examples of application of Cost LTL, to illustrate 
its potential as a practical tool for verification. 

The paper is organized as follows: Section [2] first presents Cost LTL, intro¬ 
duced in [16], and some basic results used in the remainder of the paper. The 
core of our contribution is a CEGAR-like algorithm to determine the bounds of 
a cost function defined by a CLTL property, in Section [3] We then show in Sec¬ 
tion U how this algorithm can be effectively implemented thanks to w-automata 
equipped with counters. Finally, Section [6] presents related work, and Section|3 
concludes our study and proposes leads for future developments. 

Notations Given u G £“ an infinite word over an alphabet £, and *Gl, 
Ui is the i-th letter of u, and u l the suffix of u starting at iq. Thus u = u° and 
u = uq ■ ■ - Ui -iid for any i > 0. If A is a finite set, |A| denotes its cardinal. 
For A C IN, inf A (resp. sup A) denotes the infimum (resp. supremum) of A. 
By convention, inf 0 = +oo and sup0 = 0. Let a / € IN' 0 for some set D. For 
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D' C D, the image of D' by / is the set f(D') = {/(x) | x £ D'}. We also note 
sup^,, / = sup /(£>'), respectively inf D < / = inf /(£>'). 


2 Cost Linear Temporal Logics 

We first define Cost Linear Temporal Logic (LTL-), as in [T6]. Let AP be a set 
of atomic propositions. The set of LTL- formulae is defined by (a ranges over 
AP): 

(/)::= a | -a | 0V0 | 0A0 | 0U0 | 0R0 | X0 | 0U^0 

Every LTL formula has a semantically equivalent formula in Negative Normal 
Form (NNF), where negations can only appear in front of an atomic proposition. 
Any LTL formula in NNF is a LTL- formula, and in that sense, LTL is a strict 
subset of LTL-. From now on, we identify LTL with LTL in NNF, so that 
LTL = LTL- - {U and LTL C LTL-. 

A formula of LTL- is evaluated over infinite words on the alphabet 2 AP . 


Let u £ (2 AP ) U , n £ IN, 0 1, 02 be LTL- formulae, and a £ AP: 

(u,n) |=< a 

iff a £ uq 

(u,n) [=< ~<a 

iff a £ uq 

(u,n) \=< 0i V 0 2 

iff (u, n) |=< 0i or (u,n) ^=< 0 2 

( u , n) |=< 0i A 0 2 

iff (u,n) |=< 0i and (u,n) |=< 02 

(■ u,n ) |=< X0i 

VI 

_IL 

to 

(u, n) |=< U 02 

iff 3i £ IN s.t. (u*,n) |=< 02 


and Vj < i , (u J , n) |=< 01 

(u,n) \=< 0i R 02 

iff Vi £ IN either (u\ n) \=< 02 


or 3j < i s.t. (u J ,n) |=< 0i 

(u,n) \=< 0i U-02 

iff 3i £ IN s.t. (u*,n) |=< 02 


and |{j < i ( u j ,n) 0i}| < n 

The semantics of 0 € LTL- is 

the function 

/o AP\uj 

H > IN U {00} 

m< ■ u 

l 

S 

X 

X 

IA 


To keep examples clear, we identify any atomic proposition a with the subset 
of 2 ap of sets containing a, a being its complementary. Consider the formula 
(f >i = F-->o, short for TU-->a. For any n < p and any word u £ a n a(2 AP ) u , 
(u,p) \=< 0i, and [0i]<(u) = n. Consider now the formula (f> 2 = G(F--ia), 
short for 1R F--ia. For n £ IN and u £ (2 AP ) U , (it,n) |=< 0 2 only if the 
distance between a letter in a and the next one also in a never exceeds n. Thus 
[ 02 j<(u) is the maximal number of consecutive a’s in u. 

If 0 is a LTL formula, either (u, n) |=< 0 holds for every n, in which case 
[0]<(u) = 0, or for none, in which case |0]<(u) = 00 . The former is noted 
u h 0, and matches the usual semantics of LTL. In other words, the value true 
is mapped onto 0 and false onto 00 . 

From the semantical definition, for any integers n < p, if (u, n ) |=< 0 then 
(u,p) |=< 0 too. Stating (u,n) |=< 0 is thus equivalent to stating J0]<(it) < n. 
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For n £ IN, we propose a translation from a LTL- formula 0 to a LTL 
formula (f>[n] that separates words according to their value relatively to n. More 
precisely, u b <p[n] if, and only if, [</>]< (u) < n. 0[n] is defined inductively as 
follows (0i,0 2 £ LTL- and a £ AP): 

• a[n] = a and (-ia)[n] = ->a; 

• (X0i)[ra] = X(0i[n]) 

• (0i tx <f> 2 )[n] = 4>i[n\ x 0 2 [n] for x£ {V, A, U , R}; 

• for 0i, (j )2 £ LTL, (0i U — <^ 2 ) [0] = 0i U 0 2 

and (0i U -0 2 )[n + 1] = (0, V X (0, U % 2 )[n]) U 0 2 ; 

• otherwise (0iU-0 2 )[n] = (0i[n] U-0 2 [n])[n]. 

Back to our example 0i = F--ia, we have 0i[O] = T U->a = ->a, hence 
0i [1] = (X ->a) U -ia, equivalent to ~<a V X ->a. Thus, 0 1 [n] = V” =0 X*-i a for 
every n. 

Property 1. For u £ (2 AP ) UJ , n £ IN and 0 £ LTL-, u b 0[n] iff J0J<(u) < n. 
Proof. Structural induction on 0, detailed in appendix. □ 


2.1 Dual Logics 


In LTL-, negations can only appear in the leaves of the formula, so that a 
formula is always in NNF. This particularity is commanded by the semantical 
difficulty to negate the operator U-. In a boolean setting, a word is either a 
model of the formula, or it is not. In our quantitative setting, negation is not 
straightforward, as it is not a natural operation over IN. We take inspiration 
from the embedment of LTL in LTL-: true corresponds to 0 and false to 
00 . Semantically, the negation thus replaces inf with sup. We define the logic 
LTL > [15], dual to LTL-. The operator U - is replaced by R > whose semantics 
is defined so as to match the negation of U - semantics: ( u,n ) |=> 0iR > 0 2 
iff for every * £ IN, either (u\n) ^=> 0 2 or \{j < i \ (u\n) \= > 0 1 } > n. All 
other operators keep their natural semantics. The semantics of 0 £ LTL > is a 
function 


. (b ; 


aKU { 00 } 

1 —> sup {n | ( u , n) \= > 0} 


For any n < p, if (u,p) [=> 0 then (it,n) \= > 0, so that (u,n) |=> 0 iff 
[0 J>(m) > n. 

Note that LTL is also embedded in LTL > , with a semantics dual to the case 
of LTL-: true is mapped onto 00 and false onto 0. Syntactically, LTL = 
LTL- HLTL > , but the semantics do not match. Note that in both cases (LTL- 
and LTL > ), either ( u,n ) is a model for 0 £ LTL for every n £ IN, or for none. 
From now on, we note u b 0 for the former case, to be matched with the 
appropriate semantics depending on context. 

Syntactically, we get dual pairs of operators: V and A, U and R, U - and 
R>, X being self-dual. From a formula 0 £ LTL- (resp. LTL > ), we can build 
a formula ->0 £ LTL > (resp. LTL-), by pushing the negation to the leaves: 
the top operator is replaced by its dual, and the negation is recursively pushed 
to the leaves of its operands. Literals respect the excluded middle, which is 
semantically consistent, so as to eliminate double negations. Syntactically, the 
excluded middle also holds, as pushing negations to the leaves in ->- 1 0 yields 0. 
Observe how the semantics of 0 and ->0 are correlated: 
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Property 2. For u€ ( 2 AP ) U and(f>€ LTL-, []y</>] > (u) = max(0, |0]<(u) — 1). 

Proof. An easy induction on f> proves that ( u , n) |=< </> iff (u, n) ^=> —>0 (observe 
how the semantics of dual operators are dual to each other). We recall that 
(u,n) |=< <f> => ( u,p ) |=< <f> for any n < p. Thus (u,n) |=> -i <j> if, and only 
if, n < [</>]< (u) = inf {p \ (u,p) |=< (/)}. Furthermore, if [</>]< (it) = 0, then 
[</>]> (u) = sup 0 = 0 by convention. □ 

Property 3. For any u G [2 AP ) U and <j> G LTL > , 

[M>W + 1 ify>}>(u)> 0 

[-■(/)]< (u) = < 0 if\/n G F.(u,n) cj) 
y 1 otherwise 

Proof. Recall from above that (u,n) \=> <j) if, and only if, (u,n) ^=> -><j>. If 
[<!>}>(u) > 0, then (u,n) \=< (j) if, and only if, n > [</>]>(u). If [(/>]>(u) = 0, 
{n\(u,n) \= > (j)} is either 0 or {0}. We get [ _, ^]<(w) = 0 in the former case, 
and W>}<(u) = 1 in the latter. □ 

Following the above, we define, for <fr G LTL > and n G IN, <j)[n\ as - , ((- , <^)[n]). 

Property 4. For u G (2 AP ) U1 , n G IN and <j) G LTLP, u b <j>[n] iff [0]>(u) > n. 

Proof. [((>]> (u) > n iff (■ u,n ) |=> <t> iff (u, n) ^=< -><j) iff u 1/ (-u^)[n] iff u h 
<j)[n}. □ 

2.2 Cost Logics for Verification 

A common task in verification is whether a system has a behavior satisfying 
a given property. The property either expresses a desired behavior, or an un¬ 
wanted one (in which case finding a satisfying behavior amounts to finding a 
bug). Typically, the behaviors of the system is a regular w-language L, and the 
property ^ is a LTL property. Thanks to the closure properties of regular ui- 
languages, this problem reduces to existential model-checking: is the intersection 
of L and the language recognized by <j> empty? Universal model-checking asks 
whether a language L' contains all cc-words, and is dual to existential model¬ 
checking, since L' = YP iff YF — L' = 0. As both LTL- and LTL > extend LTL, 
the natural question we address is the extension of these two problems to the 
quantitative setting. 

We first rephrase the LTL existential and universal model-checking with the 
LTL^ semantics: existential model-checking asks whether there is a word of 
value 0. Dually, universal model-checking asks whether all words have value oo. 
Existence of a word of value equal to, greater than, or less than a given n are 
natural extensions of this question. These questions hardly extend the boolean 
framework: by comparing word values against a given n, they remain boolean 
questions. We seek here a question with a quantitative answer (in our case in 
the domain !NU{oo}). Two particular values of interest are the bounds of [</>]<• 

Definition 5. inf -bound checking: given L C (2' 4p ) u; and </> G LTL^, compute 
inf L M<- 

Definition 6. sup -bound checking: given L C ( 2 AP ) UJ and </> G LTL-, compute 
sup 


5 



The duality of LTL- and LTL > allows to choose from <f> or —>0, as LTL > 
seems more appropriate for sup-bound checking. All the problems mentioned 
above are reducible to these two problems. In LTL- semantics, existential LTL 
model-checking boils down to inf-bound checking, while its universal counter¬ 
part corresponds to sup-bound checking. 


3 CLTL Bounds Checking 

This section presents our main contribution, an algorithm to compute bounds 
for LTL- and LTL > formulae.lt is inspired by the Counter-Examples Guided 
Abstraction and Refinement (CEGAR) approach to qualitative model-checking, 
which we present first. 

3.1 The CEGAR Approach to qualitative model-checking 

Consider a regular w-language L (the set of behaviors of a system) and a LTL 
formula <j >. We ask whether all words of L are models of <j>. It boils down 
to existential model-checking: is there a model of -> <j> in LI The language of 
is in deed regular, the intersection of £(->(/>) and L computable, and 
testing the emptiness of a regular w-language is decidable. These steps are 
usually performed with w-automata to represent the regular w-languages. 

But this approach becomes hardly tractable when the underlying automata 
are huge, as it is often the case when the input language is the set of be¬ 
haviors of a concurrent system. We present the so-called CEGAR (Counter- 
Example Guided Abstraction and Refinement) loop. A language L' larger 
(for the inclusion) than L is called an abstraction, L being a refinement of 
L'. CEGAR loop assumes the existence of a refinement function p that given 
a word u ^ L and a regular abstraction M of L, returns a regular refine¬ 
ment M' of M that does not contain u, and that is also an abstraction of L: 
L C M and u ^ L => L C p(M, u) C M — {;«}. 

The CEGAR loop proceeds as follows: i) start from an abstraction M of L: 
ii) search in M a model u for -■ <j>] iii) if there is no such u in M, there is none 
in L either, and the question is settled; iv) otherwise, check whether u £ L; v) 
if u e L, then the question is settled; vi) else start over with M = p(M,u). In 
practice, the automaton for L is huge, and CEGAR avoids its full exploration 
by manipulating abstractions, that have smaller underlying automata. Since 
a counter-example guides the refinement, the same spurious counter-example 
cannot be encountered twice. In general, termination depends on the refinement 
function p, but practically, termination is easy to ensure, for example by falling 
back to the initial input L (worst-case scenario) when the size of M' exceeds 
the size of L. 

3.2 CEGAR Approach for Bounds Checking 

We adapt the CEGAR approach to solve sup-bound checking for a LTL > formula 
cf> over a regular w-language L. The dual inf-bound checking follows the same 
scheme. 

We first have to define the notion of abstractions and refinements, thanks 
to an ordering over semantic functions: smaller elements are refinements and 
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greater ones are abstractions. 

Definition 7. For L C £“, f Al g iff sup L / = sup L g and <? _1 (0) C / _1 (0). 


Algorithm 1: ComputeBound( L , 

00 ) 


1 

2 

3 

4 

5 


6 

7 


n <— 0 ; 
while true do 


0 <- 00 A 0o [n + 1] ; 

ii 3 u G L s.t. [0]>(u) > 0 

then 

n G- p for any 
n < p < [0]>(u) ; 

else 

^ return n; 


In other words, / refines g (relatively to 
L ) if they have the same supremum over 
L and / maps more words (for the inclu¬ 
sion) onto 0 than g. The CEGAR loop 
for our quantitative setting is shown in 
Algorithm |T| 

We present the algorithm in its full gen¬ 
erality. Line [5] leaves some room for var¬ 
ious implementations, as we will see in 
Section rOl 


The key of this algorithm is the search for a word u such that [0]>(u) > 0 
for a LTL > formula <f> (line|5j). Note that if sup L [<(>]> > 0, then for all u G L, 
[0]> (u) > 0 iff there is some p such that (u,p) |=> 0. Considering the semantics 
of LTL > , this is equivalent to finding a word satisfying the LTL formula f>', a 
copy of <j> in which every occurrence of (f>\ R > <(>2 is replaced by T R02 (where 
T = a V -ia for any a G AP ). Therefore, the search for the upper bound of 
[0]> is reduced to LTL emptiness check, a well-studied problem with numerous 
efficient solutions (see [221E3] for surveys). The corner case sup L [</>]]> = 0 can 
be detected at the second pass in the loop (see the proof of Proposition ED- 

Property 8. At UneU l for all uGL, |0]>(u) = if M>( u ) > n 

I 0 otherwise 

Proof. At line [2 (f> = 0o A 0o[n + 1]. Let u G L and to = |0oj>(u)- By 
Proposition U to > n iff (u, to) |=> c/>o [n + 1]. [0]|> (u) is the largest p such that 
both (u,p) |=> <f >o and (u,p) [=> 4>o[n + 1]. If to > n, to is the largest such 
p, so that [0]]>(ii) = to. Otherwise, there are no value complying to the latter 
condition, and [0]>(u) = sup0 = 0. □ 

Proposition [5] proves that [(/>]> [0 o]>> and that at each pass in the loop, 

(j> is refined with respect to A L . 

Property 9. If sup i [0o]> is finite, ComputeBound is both correct and sound, 
i.e. it terminates and returns sup L [</>oJ>- 

Proof. At line O n is updated with a value p such that n < p < |0o]>(u) for 
some u G L such that [0]> (u) > 0. Proposition [8] guarantees the existence of 
such a p, and n strictly increases when updated, n is obviously bounded by 
sup L [^o]>, which proves termination. Moreover, as long as n < sup i |[0o]>, 
there are still words u such that [0o]>(u) > n, i.e. |0]>(u) > 0. If the search 
for such words on line [2 is correct and sound, so is ComputeBound. □ 


3.3 Performance of the algorithm 

Essentially, ComputeBound enumerates candidate values for sup[0o]> in increas¬ 
ing order until a fixpoint is reached. The next candidate is determined on line [5] 
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a : 1 


Figure 1: A CA counting consecutive a’s 


the larger p, the quicker the algorithm converges. The choice left for p allows 
flexibility: the exact value of [</>]> (u) is most certainly harder to find than an 
appropriate value p. This line brings a tuning parameter for implementations: 
the higher the p , the faster the convergence, but probably the higher the com¬ 
putation cost. Implementations should therefore find an appropriate balance 
between the cost of computing p , and the number of loops in ComputeBound. 

To a lesser extent, line [3] brings another tuning parameter for implemen¬ 
tations. (f> o (resp. 4>o [n +1]) in this line can be safely replaced by (f> (resp. 
(f>[n +1]), without affecting the outcome of the algorithm. Nevertheless, using 
the cj )o variant yields simpler formulae. 


4 Counter a>Automata 

This section presents Counter w-Automata (CA), as introduced by [5] under 
the names B-automata and ^-automata. We also show how to translate LTL > 
formulae to CA, based on ideas used for the case of finite words [15]. We adapt 
it to infinite words in Section im and then show the implementation of our 
ComputeBound algorithm with CA in Section 14.21 

Informally, a CA is a w-automaton equipped with a finite set of non-negative 
integer counters T, initialized with value 0. The values of these counters are 
controlled by actions: i that increments a counter; r that resets a counter to 0; 
o that observes , or stores, the current value of the counter. The set of counter 
actions is denoted by C. Values of the counters do not affect the behavior of the 
automaton, but are used to assign a value to a word. Only observed values are 
used to determine word values. In addition to a letter a £ E, a CA transition 
is labelled with |T| (words of) actions, one for each counter. 

Definition 10. A counter automaton is a 6-tuple A = (Q, E, A, T, qg, A 7 ) where: 

- Q is a finite set of states, and qo £ Q is the initial state; 

- E is a finite alphabet; 

- T is a finite set of counters; 

- ACQxSx (C*) r x Q is the transition relation; 

- T C 2 a is a set of sets of accepting transitions. 

An infinite word u £ E w is accepted by a Counter Automaton A if there exists 
an execution of A on u that visits infinitely often every set in T. 

For r = 0, Definition [TO] defines a w-automaton. Along a run p, counters 
are incremented and reset according to the encountered actions, and the set of 
checked values is noted C{p). 

There are two dual semantics for CA: 
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• the inf-semantics (B-automata in [5]), where 
[A]<(u) = infp acc run on u sup C(p ); 

• the sup-semantics (B-automata in [5]), where 
H^J>(u) supp acc run on u inf C(p). 

Figure |T] gives an example of a deterministic CA with the sup-semantics. 
Only words in L = (S*6)“ have accepting runs. Thus |„4]>(u) = sup0 = 0 for 
u L. If it £ B, [_4.]>(it) is the smallest size of a block of consecutive a’s in u. 

4.1 From CLTL to Counter Automata 

For every LTL- (resp. LTL > ) formula (f>, there exists a CA Ap, with the inf- 
semantics (resp. sup-semantics) with the same semantics: [A]< = [(/>]< (resp. 
[A]|> = [</)]>). This construction is effective, and does not differ much from the 
translation from LTL formulae to Biichi automata (see for instance [8]). The key 
difference is the introduction of a counter for each occurrence of the operator 
U- (resp. R > ) in the formula to translate. The translation is described in m 
for the case of finite words, and is easily extended to infinite words. 

We state here this extension, for the sake of completeness. In m, the 
produced CA transitions bear sequences of counter actions (e.g. a counter can 
be incremented by three in a single transition). We show that it is always 
possible to produce a CA whose transitions are labelled with atomic actions, 
i.e. at most one action (i, or or e) per counter. This possibility seems to have 
been overlooked in previous work. This remark may stem from the care taken 
in our translation to retain exact values. We also note that there is a slight 
difference of semantics for LTL > with respect to which is the main cause of 
the differences between our algorithm and previous ones. We will also discuss 
optimizations of the translation. 

We label R f, ..., R ^ the k occurrences of the operator R > in (j). Each 
occurrence is associated a counter, so that T = {71,... ,7*,}. We note sub{4>) 
the set of sub-formulae of 4>. 

A state of A<p is a set 
of LTL > formulae, yet to 
be verified. A formula 
is reduced if it is either 
a literal or its outermost 
operator is X. A set 
Z of formulae is reduced 
if it contains only re¬ 
duced formulae, and con¬ 
sistent if it does not con¬ 
tain both a formula and 
its negation. Given a re¬ 
duced and consistent set 
Z, we note next(Z) = 
{> | XV> £ Z} and E z 
the set of letters (in 2 AP ) compatible with the literals in Z. E z cannot be 
empty if Z is consistent. From a reduced state Z = {Zi, ... ,l n , X </>i, ..., X cj) p }, 
reading a letter of Y, z leads to the state next(Z) = {<£> 1, ..., (j) p }. 

Non-reduced states are reduced step-by-step using e-transitions, summarized 
in Table [I] that preserve the state semantics. Operators V, A, U and R follow 


{ 


if if; = 'ijj 1 A ijj2 
if ifj = 'ipi V "02 



Y 

e:e 

Y\{tp} U {-01, "02 } 

Y 

e:e 

Y\ { 1 /}} U {0i } 

Y 


Y\ {ip} U {ip 2 } 

Y 

e-.e 

■ Y \ {0} U I02> 

Y 

!t/j 

■ W W u Wi,Xtj( 

Y 

e:e 

Y\ {ip} U {01,02> 

Y 


Y\{iP}U{ip 2 ,Xip} 

Y 

e:or 

A Y\{ip} U {01,02> 

Y 


* Y\ {ip} U {ipi,ip2,X-ip} 

Y 


■ Y\{ip}u{ip 2 ,yiip} 
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Figure 2 : Reduction of {—><?!>} 


■>: p, 


the classical translation from LTL to w-automata. To reduce ip = ip\ R f ip 2 , 
three ^-transitions are possible: 

• the first one checks and resets the counter i, requiring both ip\ and ip 2 to 
be verified; 

• the second one counts one occurrence of ip i, requiring all ipi , ip 2 and X ip 
to be verified; 

• the third one does nothing on the counter i, and requires both ip 2 and ~X.ip 
to be verified. 

These three transitions implement in fact the semantics of the operator R >. 

An until formula </> 1 U </>2 requires (p 2 to be true at some point. Transitions 
subscripted with the label hp indicate that (p 2 in ip has been postponed. Each 
until sub-formula in (p yields one acceptance condition: any transition going 
through a label lip is not accepting for the condition ip. Once the automata 
with e-transitions is built, the actual (smaller) automaton is built by collapsing 
e-transitions (counter actions are concatenated). 

Let us illustrate the described translation with an example: (p = G(p =$■ 
F- q). We turn cj> into an equivalent LTL > formula -1 <p = F(p A G > -1 q), which 
we translate to a CA with sup-semantics. Figure [5] depicts the e-transitions 
obtained while reducing 

The reduction yields three reduced sets. The (not reduced) set {p A G > -> q} 
is not shown and is directly reduced to {p, G 5, -ig}. The three reduced sets 
being also consistent, we are ready to find the real successors of -«p, i.e. the sets 
next(Z) where Z is one of the three obtained reduced sets. First, next(X.-«p) 
falls back to the initial state which will result in a loop in the final 

automaton. Note that this will be the only non-accepting transition. next(p, —>q) 
is the set {T}, and next(p, ->< 7 , X G > ->q) is {G > -iq}. As this last state is 
not reduced, the reduction process goes on, yielding {—iqr} and {XG > -i( 7 }. 
next(^q) = {T} and next(X G 5, ->g) = {G > -iq}, states that have already 
been discovered and reduced. Finally, we collapse the e-transitions to get the 
final automaton shown in Figure [3] 

Several transitions of the automaton of Figure [3a] are unnecessary. Indeed, 
according to the sup-semantics, only paths with the higher value are relevant, 
those with a lower value can safely be removed. This allows to reduce non- 
determinism in the automaton, as shown on the automaton of Figure [3b] which 
has the same semantics as the one of Figure l3al 

If done appropriately, the actions in the produced automaton can be limited 
to atomic ones. The proof of Proposition 1 11 1 is detailed in appendix. 
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T/e 


T/e 


■T/e 


'b/i 


'b/i 


(a) CA after removing pseudo states (b) CA without unnecessary transitions 


Figure 3: CA for G (p ==> F- q) 


Property 11. If the largest (for the sub-formula ordering) formula in Y is 
picked first when reducing Y, then at most one action per counter occurs along 
any chain of e-transitions. 

4.2 CEGAR-loop Implementation 

We detail the implementation of ComputeBound using CA, specifically lines [4] 
and[5] The strength of our algorithm is to boil the problem down to w-automata 
emptiness checks, a well-studied problem, with numerous variants and solu¬ 
tions £ 22] 123] ■ This section makes no further assumptions on the variant of 
w-automata or the translation algorithm used, so that the final user can use 
the fittest ones. Many translations of LTL (and by extension CLTL translation 
derived from them) to automata produce generalized transition-based automata. 

The input language L is assumed to be regular and given as an w-automaton. 
As explained above, we build from cf a CA A$ such that [</>]> = [A,j]>. LineQ] 
looks for a word u £ L such that [</>]> (it) > 0. The constraint u £ L is enforce 
by searching u such that \A l j > 0 TJ>(it) > 0, where A$ 0 L is the synchronized 
product of A<i> and (the automaton of) L. This product, itself a CA, rules out 
words not in L, so that \A$ 0 LJ>(i>) > 0 iff v £ L. 

Proposition [ 8 ] shows that [</>]> (u) = 0 iff there is no n such that ( u,n ) |= </>. 
Given the requirements on A^, [<?!>]> (it) = 0 iff A# has no accepting run on u. 
Thus, the set of such it’s is exactly the language recognized by A^^L, viewed as 
a w-automaton by ignoring the counters. Finding such a word u thus amounts 
to an emptiness check of the said automaton. 

A non-empty regular w-language contains an ultimately periodic word, and 
so can be chosen it, ensuring a finite representation. In practice, emptiness-check 
algorithms that compute a counter-example always produce such ultimately 
periodic words. 

Line [5] then asks for a value p between n and [0o]>(iO to update n. We 
claim that any accepting run p on it in the product automaton A^ 0 0 A ( f, 0 [ n+ u 
provides such a value p. On the one hand such a p is an accepting run in A^ 0 , 
and its value p is therefore not larger that |</>o]]>(ii). On the other hand, p is 
also an accepting run in Aj, 0 [ n + u. The whole point of synchronizing A ^ 0 with 
•A.<j> 0 [n+i\ is to rule out runs of value strictly less than n. Indeed, in 4>o[n + 1], 
the value n + 1 is hard-coded thanks to n + 1 nested X operators. Every time a 
counter is incremented, a nested X is passed, and A^ 0 [ n+ u accepts a run only 


11 


if counters are checked with values strictly larger than n. Therefore, replaying 
u in A)j, 0 <8> A 0 [ n+ i] yields a p between n and [</>o]>(u). The great advantage 
of this operation is that only one run over u needs to be considered, and the 
computation of p is therefore straightforward. 

We recall that higher p speed the convergence of ComputeBound, by reducing 
the number of loops. But higher p would require to explore several runs of 
A<f> 0 < 8 >Ajj 0 [n+i] and to retain the highest found value. We see more precisely here 
the trade-off between the number of loops in ComputeBound and the computation 
of p on line [5] 

To conclude, we show how ComputeBound can be extended to also detect the 
unbounded case, thus providing a complete algorithm. To this end, we recall 
that unboundedness of a sup-automaton is decidable, as shown in 1113- 

Property 12 . fT5f [A]]> is unbounded if and only if A has an accepting run 
p in which every action cr 1 (7 G T,) is preceded by a cycle that increments 7 
without resetting 7 . 

The proof of Proposition l~H?l is not difficult: the existence of such a cycle 
guarantees the ability to build runs with arbitrarily high values. Conversely, if 
no such run exists, then every accepting run has its value bounded by \Qa\- 

As a corollary of Proposition [T 2 ] sup|[AI|> is unbounded if and only if A has 
an accepting run of value greater than its number of states. ComputeBound can 
thus be adapted so as to detect unboundedness too: compute a bound B on the 
size of the product Ap 0 ® Al (such as B = |A/, 0 | x |Al|). The sought bound is 
finite iff n ever exceeds B. 


5 An example of Application 

Through a concrete example, this section illustrates the expressive capabilities 
of LTL- and LTL > and the kind of problems our bound evaluation algorithm 
may solve. 

5.1 Ant Colony Optimization 

Ant Colony Optimization [IJj (ACO) is a bio-inspired meta-heuristic relying on 
the cooperative behavior of small simple agents to solve optimization problems. 
A collection of artificial ants endlessly walk a graph randomly, from some initial 
node (their nest), to one or several target nodes (the sources of food), and 
come back to the nest. Whenever an ant moves from one node to another, it 
deposits a certain amount of pheromone. The quantity of pheromone left on 
an edge increases the likelihood that an ant chooses to cross it. Besides, the 
quantity of pheromone decreases according to an evaporation rate. Unless the 
evaporation rate is too high, ants will eventually converge to the shortest paths 
from their nest to the food sources, because shorter paths will be rewarded with 
new pheromone more frequently. 

ACO has been successfully used in numerous applications, such as data 
mining m, image processing [2D] . ACO is resilient to modifications of the 
graph and it usually responds very quickly to such changes because its current 
state is likely to contain useful information on the closest new solutions. Finally, 
ACO is rather simple to implement on huge distributed setups, as agents do not 
communicate directly with each others. 
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5.2 Quantitative Properties 

Let us consider an ACO that searches the shortest path between two nodes 
in a directed graph. The most classic quantitative information is the time 
(number of steps) taken to find a solution, be it local or global. Topological 
parameters may also be measured, such as the maximum length of solutions or 
the number of nodes visited before a solution is found. Other quantities relate to 
the algorithm parameters, such as the maximum amount of pheromones on an 
edge. Such information is critical to tune algorithm parameters, that ultimately 
dictate how fast it converges to a solution [12]. With a fixed topology, some of 
these properties are not difficult to compute. For instance, the minimum number 
of visited nodes is the length of the shortest path, computable in polynomial 
time. Other properties are harder to compute, such as the maximum length of 
solutions. When the topology dynamically changes, analytical search for exact 
optima values is cumbersome, if even possible. 

To address these questions, model-checking becomes an option, by check¬ 
ing all possible behaviors of the system. A common approach instruments the 
model to monitor the quantitative properties at stake. It introduces a strong 
semantical risk, because instrumentation may be impacted by any modification 
to the model, and must thus be kept up-to-date. We propose to move the in¬ 
strumentation into the logics, to keep a proper separation between the actual 
behavior (the model) and the desired behavior (the logical property). 

Let G = (V. E) be a directed graph where V is a finite set of vertices and 
E C V x V is the set of edges. An ant is a pair ( a v ,ad ) where a v G V is a node, 
ad G {fb-IJ'} is a direction (looking for a food source, and coming back to the 
nest). A denotes the set of ants. 

The time an ant a takes to find a solution is given by 4> a (a) = G(_L U ~(a v = 
sAad =JJ0) where s € V is the nest node. The worst-case over possible behaviors 
in L is thus sup L [(/> a ]< and the best-case infi[^> a J<. Similarly, the time taken 
by the whole system to find a solution is obtained by the conjunction over all 
ants of the previous: 4>a = G /\ aeA 

It is easy to count events like the number of visits of an ant a to a node 
s € V with (a v = s)TJ-(G-r(a v = s)). Occurrences of a position where a 
LTL formula (j) holds are counted by 0U-(G->0). Consider the deposit (resp. 
removal) of a pheromone on edge e, denoted by action add(e) (resp. rm(e)). 
The formula 0 acc (e) = ->(add(e) =>• (-iadd(e) U rm(e))) holds in states where 
e will receive more pheromone before the next removal, i.e. when an ant crosses 
an edge whose pheromones have not yet evaporated. The (integer) amount of 
pheromone on a given edge e is obtained by </f> aC c(e) U-(G ~«j) a cc(e)). 

6 Related work 

A famous problem in language theory is the star-height problem: given a lan¬ 
guage L (of finite words) and an integer k, is there a regular expression for L with 
at most k nested Kleene stars? Proposed in 1963 HU, it was proven decidable 
in 1988 [131 by exhibiting an algorithm with non-elementary complexity, and a 
much more efficient algorithm was then proposed in 2005 HU- Both algorithms 
translate the problem to the existence of a bound for a function mapping words 
to integers, represented in both cases by an automaton equipped with coun- 
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ters (distance automata for the former, nested distance desert automata for the 
latter). This boundedness problem of the existence of a bound is then shown 
decidable. It is the first of many problems that reduce to the boundedness 
problem for such automata. 

This motivated an in-depth study of automata with counters (as we use 
it) as a general framework, that came up with a theory extending the one 
of regular languages, with logical and algebraic counter-parts [BJ. On infinite 
words, the logical counter-part motivated the introduction and study of LTL- 
and LTL > [ Tfil . This theory also encompasses promptness properties, a variant 
of liveness where a bound on the wait time of a recurring event must exist [2 
HZ]- But all these works, motivated by the boundedness problem, overlook 
the exact values of the functions. On one hand, this relaxation enables nice 
closure properties (such as the equivalent expressiveness for inf-automata and 
sup-automata). On the other hand, it only allows to reason about the existence 
of a bound, not to compute values. 

In verification, not all questions have a boolean answer, so that various 
quantitative extensions of automata have been considered, such as weighted 
automata (see m for a survey). Despite their various domains of application, 
they have limited expressivity, as the domain of weights is required to be a 
semi-ring. An extension to arbitrary operations on weights have been recently 
proposed |3j. It encompasses various extensions of weighted automata, such 
as Discounted Sum Automata [7] and Counter w-Automata as considered in 
this paper. All these formalisms can be characterized by the absence of guards 
on register values. These extensions sometimes have equivalent logics (such as 
discounted linear temporal logics HI)- From the logical point of view, let us 
also mention that other temporal logics able to count events were previously 
proposed [T9] . 

Most of the cited works only focus on expressivity, decidability and com¬ 
plexity problems, with little consideration to the practical use of such quanti¬ 
tative extensions of automata. It contrasts with older formalisms: w-automata 
have already received great focus towards practical applications, illustrated by 
numerous emptiness checks algorithms (see [22] for an overview) and many im¬ 
plementations, principally oriented towards LTL mo del-checking (see [53] for 
a survey). Some quantitative extensions of automata possess a similar matu¬ 
rity towards practical applications, especially timed automata [3] and weighted 
automata m- 

7 Conclusion 

In this paper we proposed to use LTL- and LTL > for practical verification of 
quantitative properties. One key advantage of these logics is to clearly separate 
functional properties of the system and quantitative properties, expressed in the 
logic used for verification. The functional model can still be used for other tasks 
like production of code and test generation. Along with examples of properties 
to be expressed with these logics, we also exhibit a CEGAR-like algorithm to 
compute bounds for such formulae, based on successive refinements. We further 
proposed an implementation of this algorithm using automata equipped with 
counters, extending the automata approach used for LTL mo del-checking. 

This is a first step towards practical applications of such logics which seems 


14 


very promising if adequate algorithms and tools are available. The next step is 
to implement our algorithm in a proof-of-concept tool. The logics we used are 
just a drop in a vast ocean of quantitative extensions for LTL. Further research 
should focus on fitting our algorithm in a more general framework so as to 
capture several such LTL extensions. Another axis would be the improvement 
of the performance of validation algorithms: such as improving the translation 
to automata to produce smaller and/or more deterministic automata and tweak 
emptiness checks to limit the number of refinement iterations. 


References 

[1] S. Almagor, U. Boker, and O. Kupferman. Discounting in LTL. In 
E. Abraham and K. Havelund, editors, Tools and Algorithms for the Con¬ 
struction and Analysis of Systems, volume 8413 of LNCS, pages 424-439. 
Springer Berlin Heidelberg, 2014. 

[2] S. Almagor, Y. Hirshfeld, and O. Kupferman. Promptness in w-regular 
automata. In Proc. 8th International Symposium on Automated Technology 
for Verification and Analysis (ATVA ’10), volume 6252 of LNCS, pages 22- 
36. Springer, 2010. 

[3] R. Alur, L. Dantoni, J. Deshmukh, M. Raghothaman, and Y. Yuan. Regular 
Functions and Cost Register Automata. In Logic in Computer Science 
(LICS), 2013 28th Annual IEEE/ACM Symposium on, pages 13-22. IEEE, 
2013. 

[4] G. Behrmann, A. David, K. Larsen, J. Hakansson, P. Petterson, W. Yi, 
and M. Hendriks. Uppaal 4.0. In Proc. 3rd International Conference on 
the Quantitative Evaluation of Systems, QEST ’06, pages 125-126, Wash¬ 
ington, DC, USA, 2006. IEEE Computer Society. 

[5] M. Bojariczyk and T. Colcombet. Bounds in w-regularity. In Proc. 21st 
Annual IEEE Symposium on Logic in Computer Science, LICS ’06, pages 
285-296, Washington, DC, USA, 2006. IEEE Computer Society. 

[6] T. Colcombet. The theory of stabilisation monoids and regular cost func¬ 
tions. In Automata, languages and programming, pages 139-150. Springer, 
2009. 

[7] L. de Alfaro, T. Henzinger, and R. Majumdar. Discounting the Future 
in Systems Theory. In JosC.M. Baeten, J. Lenstra, J. Parrow, and G.. 
Woeginger, editors, Automata, Languages and Programming, volume 2719 
of Lecture Notes in Computer Science, pages 1022 1037. Springer Berlin 
Heidelberg, 2003. 

[8] S. Dernri and P. Gastin. Specification and verification using temporal logics. 
In D. D’Souza and P. Shankar, editors, Modern applications of automata 
theory, volume 2 of IISc Research Monographs, chapter 15, pages 457-494. 
World Scientific, July 2012. 

[9] M. Dorigo and L. Gambardella. Ant colony system: A cooperative learn¬ 
ing approach to the traveling salesman problem. IEEE Transactions on 
Evolutionary Computation, 1997. 


15 



[10] M. Droste and P. Gastin. Weighted Automata and Weighted Logics. The¬ 
oretical Computer Science, 380(1):69-86, 2007. 

[11] L. C. Eggan. Transition graphs and the star-height of regular events. Michi¬ 
gan Math. J., 10(4):385-397, 12 1963. 

[12] D. Gaertner and K. Clark. On optimal parameters for ant colony optimiza¬ 
tion algorithms. In Proc. International Conference on Artificial Intelligence 
2005, pages 83-89. CSREA Press, 2005. 

[13] K. Hashiguchi. Algorithms for determining relative star height and star 
height. Information and Computation, 78(2):124- 169, 1988. 

[14] D. Kirsten. Distance desert automata and the star height problem. RAIRO- 
Theoretical Informatics and Applications, 39(03):455-509, 2005. 

[15] D. Kuperberg. Linear temporal logic for regular cost functions. Logical 
Methods in Computer Science, 10(1), 2014. 

[16] D. Kuperberg and M. Vanden Boom. On the expressive power of cost 
logics over infinite words. In Automata, Languages, and Programming, 
pages 287-298. Springer, 2012. 

[17] O. Kupferman, N. Piterman, and M. Vardi. From liveness to promptness. 
In Computer Aided Verification, pages 406-419. Springer, 2007. 

[18] M. Kwiatkowska, G. Norman, and D. Parker. PRISM 4.0: Verification of 
Probabilistic Real-time Systems. In G. Gopalakrishnan and S. Qadeer, ed¬ 
itors, Proc. 23rd International Conference on Computer Aided Verification 
(CAV’ll), volume 6806 of LNCS, pages 585-591. Springer, 2011. 

[19] F. Laroussinie, A. Meyer, and E. Petonnet. Counting LTL. In Proc. 2010 
17th International Symposium on Temporal Representation and Reasoning, 
TIME TO, pages 51-58, Washington, DC, USA, 2010. IEEE Computer 
Society. 

[20] H. Nezamabadi-pour, S. Saryazdi, and E. Rashedi. Edge detection using 
ant algorithms. Soft Computing, 10(7):623—628, 2006. 

[21] R.. Parpinelli, H. Lopes, and A. Freitas. Data mining with an ant colony 
optimization algorithm. IEEE Transactions on Evolutionary Computation, 
6:321-332, 2002. 

[22] E. Renault, A. Duret-Lutz, F. Kordon, and D. Poitrenaud. Three SCC- 
based Emptiness Checks for Generalized Bfichi Automata. In K. McMillan, 
A. Middeldorp, and A. Voronkov, editors, Proc. 19th International Con¬ 
ference on Logic for Programming, Artificial Intelligence, and Reasoning 
(LPAR’13), volume 8312 of LNCS, pages 668-682. Springer, 2013. 

[23] K. Rozier and M. Vardi. LTL Satisfiability Checking. International journal 
on software tools for technology transfer, 12(2):123-137, 2010. 


16 



A Proof of Property [1] 

Proof. The proof proceeds by structural induction on (p. Note that fan] = <p for 
any n if (p £ LTL, therefore the property holds on the LTL fragment (and in 
particular on literals). 

We recall that J0]<(u) < n iff (u,n) \=< <p. 

Let us assume that the property holds for LTL- formulae <p i and fa. Let MS 
{V,A,U,R}. (fa Cxi fa)[n] b u iff fa[n] ex fa[n] b u. The induction hypothesis 
allows to replace every occurrence of fa b v in the usual LTL semantics of cx 
by (v,n) |=< fa. This gives the LTL- semantics of ix, thus proving that if 
(fa x </> 2 )[n] b u, then ( u,n) f=< fa X fa. The converse reasoning (from 
LTL- to LTL semantics) proves the converse implication. The same argument 
is applied to the case cf> = X fa. 

Now consider (j> = faJJ-fa. In the general case, fan] = (fa [re] U -fa[n])[n]. 
Suppose we have a proof for this case when fa and fa are LTL formulae. The 
induction hypothesis allows to replace any occurrence of fa and fa in such a 
proof by fa [n\ and fa [n], using the same argument as presented above. Thus, 
it suffices to prove the property when fa and fa are LTL formulae to conclude 
the proof. 

Assume fa and fa are LTL formulae. We now proceed by induction on n. 
If n = 0, then fan] = fa U fa. u b fan] if, and only if, for some index i , u l b fa 
and v? \=< fa for every j < i. In other words, u b fan] if, and only if, for some 
index i, u l b fa and {j < i \ u 3 ^=< </>i} = 0. Thus, u b fan] if, and only, if 
(u, 0) |=< fa 

If the property holds at n, then fan + 1] = (fa V X (fan])) U fa = (fa U fa) V 
(X (fan]) U fa). If u b (faU fa), then (u, 0) |=< <p as above, or equivalently 
[</>]< (u) < 0 < n + 1. If u b X (fan]) U fa, then there is some index i such 
that u l b fa and fa +1 b fan] for every j < i. Again by induction hypothesis, 
(u l ,n + 1) |=< fa. Let us now consider S = {j < i\(fa,n + 1) ^=< fa}. Let 
j < i. We know that u J+1 b fan] which is equivalent, by induction hypothesis, 
to (u j+1 ,n) |=< (j). Therefore, there exists an index ij > j such that (u lj , n) |=< 
fa. Since (u l ,n + 1) \=< fa, we necessarily have ij > i. S' is a subset of 
T = {j < i | (fa,n) \f=< fa}. We know that T — {0} is of size at most n (in case 
( u k ,n) |=< (j> for every i < k < io). Therefore, S is of size at most n + 1, which 
concludes the proof. □ 

B Proof of Property [TP 

Proof. Consider a path of £-transitions from a non-reduced state Y' to a reduced 
state Y. Whenever a formula ip is reduced along this path, it is removed from 
the current state (Xt/’ may appear, but it cannot be reduced until after Y'), 
and only strict sub-formulae of ip are added. We claim that the operator 
(that occurs only once in ip) is reduced at most once along the path (for every *). 
Indeed, when ip = fa R f fa is reduced once, the only way to have it reduced a 
second time is to be added to the current set by the reduction of another formula 
ip'. It implies that ip is a sub-formula of ip'. Since ip cannot be a sub-formula 
of one of its strict sub-formulae, then there was a non-reduced formula ip" with 
ip as strict sub-formula when ip was reduced, which contradicts the selection 
procedure of formulae to be reduced. □ 
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